concurrent TTLS and PEAP usage
hecker at enst.fr
Tue Aug 30 17:04:11 CEST 2005
we have a Wifi 802.1X network with both TTLS and PEAP users (TTLS/PAP
mostly for non-windows machines, PEAP/MSCHAPv2 for windows machines).
(we also have TLS users, but that's out of scope).
both work like a charm. however, we'd like to prevent PEAP accounts to
log in with TTLS and vice-versa (that's a pure policy decision - one
user profile should specify exactly one auth method). this works mainly
because we store clear text passwords for both MSCHAPv2 and PAP.
assuming e.g. two users user_peap with PEAP/MS-CHAPv2 and user_ttls with
TTLS/CHAP, we would like to modify the profile of the user user_peap so
he can't change the exterior method to TTLS/PAP and vs.
note that we don't necessarily use exterior names (since e.g. MS Windows
machines do not permit to specify an alternative user name for the
exterior EAP tunnel).
we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for
user_ttls but that breaks both methods (which seems normal since this
EAP-Type definition is not correct for the internal EAP method which
however uses the same user name).
i thought about specifying tunneled attributes as check items. it turns
out that FR does not show them in the log and I believe that these are
not the same for the PEAP and TTLS anyway.
thus the question to the list: how can I specify an "PEAP/MS-CHAPv2
only" user profile? how can i specify a "TTLS/PAP only" user profile?
More information about the Freeradius-Users